Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology

How can I add no server "cache control" no-store, no-cache" to an iRule

Hi, I trying to add

no server "cache control" no-store, no-cache" to an iRule

in following iRule but not sure where I can do it.

  if { [active_members [LB::server pool]] < 1 } {
    virtual abc      }
Rate this Question

Answers to this Question


For out of service scenario in case of HTTP(s) services, you have two options, issue a HTTP redirect to another service, or reply with content "sorry/out-of-service page" from the BigIP itself. Best-case scenario is to reply with a 302 HTTP redirect to external service which is hosted in public cloud or VPS. Second best option is to reply with a 302 HTTP redirect to internal service that is hosted in the same data center, but serviced by another VS. If you cannot do either, just reply with an iFile (HTML document) from the BigIP itself.

If you bluntly select a secondary VS, you cannot include no-cache headers. It seems like you already found out why this approach is not ideal.

Comments on this Answer
Comment made 23-Mar-2018 by Frank 270

Hi Hannes, thanks for your reply. Actually, my ultimate goal is to land on a maintenance page in case all pool members are down without doing SSL bridging.

I tried using iFiles but with an iRule, it requires SSL bridging to use HTTP profile.

To make it work, I have created an iRule mentioned above which will direct to another VS (maintenance page) in case all members are down and on the maintenance page VS i am doing SSL bridging. It works fine but when I re-enable the pool member and try to navigate to URL the maintenance page does not comes up until after sometime i close the browser wait for few minutes then navigate to URL and it start to work fine.

I am trying instantaneous response from URL after i re-enable the pool member and hit the refresh the button without waiting.

Not sure if it is recommended way of doing it

Comment made 23-Mar-2018 by Hannes Rapp 3890

TCP session prevails until timeout, unless you tear it down. Depending on a few circumstances, your problem may or may not be resolvable with the inclusion of TCP::close statement. For the purpose of testing, add in TCP::close to your code, next line after 'virtual abc`. This will tear down the connection by sending TCP FIN packet to client and wipes connection from the table of BigIP. This should result in a situation where your clients are not stuck on maintenance or no-maintenance mode for the duration of TCP idle timeout.

All the best, and lmk if it works

Comment made 23-Mar-2018 by Frank 270

Hi Hannes, I tried adding TCP::close to my code but getting an error as follows:

TCP::close in rule (/Common/_maintenance_iRule) requires an associated TCP profile on the virtual-server

This is the only way I could find to host a maintenance page on f5 without doing an SSL bridging. Is there any other way to make this code work?

Comment made 23-Mar-2018 by Hannes Rapp 3890

What exactly you mean by SSL bridging? The situation where BigIP decypts incoming request, and then re-encrypts it before sending request to end-server? That's what SSL bridging is known as in F5 resources. However, some may consider SSL bridging a situation where the middleware like BigIP does not interfere with SSL negotiation, and allows end-server to establish the handshake with client directly. Applying a TCP profile to Virtual Server will not cause any harm in either scenario.

Comment made 23-Mar-2018 by Frank 270

I am using performance Layer 4 for most of my virtual servers. PerformanceL4 does not allow HTTP profiles. iFiles and iRules trigger only when HTTP profile is enabled due to which i have to use standard type VS. Changing VS type from PL4 to standard would require many maintenance windows.

For this reason I am using above code to route traffic to dummy VS where i am doing SSL decryption/encrypiton and hosting a generic sorry page. By this method I am able to use one iRule for all my PL4 Virtual servers which are more then 100.

If I see in PL4 VS properties I see their default TCP profile already configured. Not sure about error which states requires an associated TCP profile on the virtual-server which is already there by default ???

will appreciate if you can please help to clarify.

Comment made 23-Mar-2018 by Hannes Rapp 3890

Indeed, TCP::close requires a Standard-type Virtual Server AND a TCP profile. I've just tested (BigIP 13.0) and can confirm this will not work in case of PerfL4 Virtual Servers. Therefore, the error code you're getting about absence of TCP profile is just misleading.

So to test this solution, you will also need to change your Virtual Server type among other things. Quite a hassle. Hopefully someone has another solution for you. If you're out of ideas, try applying an iRule that does nothing but TCP::close to your Maintenance Virtual Server. This should by minimum get rid of maintenance lock, but I'm not sure if this will help with failover to your maintenance Virtual Server more frequently than once per TCP session.